Fight the battle against payments fraud

Fraudsters are relentless in their schemes to target businesses and exploit their cyber vulnerabilities. The best way to prevent fraud is to prepare for it. Here’s how.

In the digital age, a cyberattack is like a natural disaster – a persistent and unpredictable threat. In 2023, 80% of U.S. organizations were targets of payments fraud, according to the  2024 Association for Financial Professionals Payments Fraud and Control Survey Report.

After payments fraud numbers were down for three straight years, incidents spiked again in 2023, with 80% of organizations reporting that they were victims of payments fraud, up from 65% in 2022. Increased diligence and preventative measures are essential if treasury and finance professionals want to stay ahead of fraudsters to mitigate business interruptions and financial losses.

What’s the best way to prevent getting scammed by payments fraud?

“Know your organization’s vulnerabilities and prepare for attacks,” says Dan Kautz , vice president Global Treasury Management at U.S. Bank. “Criminals will take advantage of your weaknesses regardless of the amount of money in your accounts.”

Those weaknesses include a lack of IT infrastructure, smaller staffs and fewer controls – all of which attract cybercriminals. Criminals’ tactics constantly evolve, and business email compromise (BEC) remains a significant threat, with 63% of organizations having experienced it in 2023. This number is down from 71% in 2022, likely a result of better email filtering and an increased effort to train employees to identify fraudulent emails. 

Payments fraud increased in 2023, nearly reaching peak incident numbers seen in 2018

After a steady decrease from 2018 to 2022, the number of organizations that experienced attempted or actual payments fraud rose to 80% in 2023. This follows a steady drop in each year from 2019 to 2022 that followed the peak in 2018, when 82% of organizations reported being victims of fraud attacks or attempts.
 

Webinar replay: Cybersecurity threats and fraud prevention best practices

Reduce financial risk and protect your organization as our Fraud Intelligence team shares strategies to mitigate the fraud-related vulnerabilities facing businesses today. Our Treasury Management team also shares solutions that could help reduce fraud risk for your organization in the future.

Watch it now>

The persistent realities of BEC

In 2023, 63% of organizations experienced  business email compromise (BEC), according to the survey.

“These are legitimate payments, and that makes them very difficult to detect,” Kautz says of BEC attacks, wherein criminals persuade employees to initiate wire, check or credit card payments by sending fraudulent emails.

The emails appear to be from genuine customers, vendors or executives. They may ask for bank account numbers or routing codes. They can also include requests for personally identifiable information (PII) or Wage and Tax Statement (W-2) forms for employees.

Enterprises with at least $1 billion in annual revenue were more susceptible to BEC scams, according to the survey. Companies with less than $1 billion in annual revenue were more likely to be defrauded by individuals outside their organizations.

The greater threat to those organizations comes from the theft of personal and confidential information. Damages from these thefts can be difficult to measure, ranging from financial penalties to legal and regulatory actions.

BEC scams continue to evolve

Criminals continue to harvest personally identifiable information through the web and social media and use it to execute sophisticated BEC scams. They pose as trusted executives or vendors to either initiate unauthorized payments or change payment information to intercept disbursements.

According to the survey, 77% of BEC involved spoof emails designed to trick users into thinking they are interacting with a trusted source.

Educating employees on the threat of BEC and training them to identify spear phishing attempts is important to controlling BEC. . 

Checks remain primary target

Although businesses operate in a digital world, checks remain the primary target. Why? Their prevalence and technological advancements that have made it easier to create more convincing forgeries.

Almost two-thirds of organizations surveyed experienced attempted and/or actual payments fraud with checks. Paper checks remain especially vulnerable for criminals to steal them, alter payee names or amounts and then endorse and deposit them into accounts they created.

That dramatically outpaced the prevalence of other payments fraud attempts:

• Checks – 65%
• ACH debits – 33%
• Wire transfers – 24%
• Corporate/commercial credit cards – 20%
• ACH credits – 19% 
  

According to  the survey, the largest spike occurred with ACH debits. Meanwhile, corporate and commercial credit card fraud significantly decreased from 36% in 2022 to 20% in 2023, as did ACH credit fraud – down from 30% in 2022 to 19% in 2023. 

How to protect your organization

Banks have vast experience fighting payments fraud, which often makes them a secure and trusted resource for guidance and mitigation advice following an attack.

In fact, 85% of respondents said they are most likely to seek assistance from their banking partners about what steps to take.

Kautz recommends that your organization take the following steps to help protect itself:

• Provide comprehensive training: All employees should receive training to help them identify and respond to potential attacks.
• Institute physical, digital and procedural controls: Require the use of dual approval for all payments. Establish a dedicated workstation through which all payments must be executed and limit employee access to personal email, all of which will limit your organization’s exposure to potential threats.
• Promote mindfulness: Executives should empower and encourage employees to think carefully, ask questions and verify, before executing transactions.
• Share personal information sparingly: Executives should avoid sharing biographical and direct contact information online, where cybercriminals can harvest it for use in BEC attacks.

“Companies hear about fraud in the news, but they think it won’t happen to them,” Kautz says. “That couldn’t be further from the truth. All it takes is one bad email or one wrong click.”

Don’t wait until your organization experiences a fraud attempt. Take time now to search for gaps in your fraud prevention program. Our fraud prevention checklist and tips to reduce corporate payments fraud can help:

• Fraud prevention checklist

U.S. Bank is committed to helping you meet your treasury management needs, including fraud prevention. To learn more, contact a U.S. Bank relationship manager or treasury management consultant.